According to the 'Distributed Denial of Service Trends Report - 2nd Quarter 2015' published by VeriSign today, between the period April 1 to June 30 there was increased activity from the DDoS For Bitcoin (DD4BC) attack group. This came not only in the form of ransom threats – the ransom being demanded in Bitcoin hence the name – but also in those threats not being paid off turning into actual attacks. Most DD4BC attacks have traditionally been, and largely remain, within the one to five Gbps size range.
The report says that the second most targeted industry sector for all DDoS attacks was finance and payments which made up some 22 percent of those mitigated by VeriSign, and this was largely driven by the DD4BC attack group.
The VeriSign conclusions appear to tie in with those from other recent Internet threat reports such as Akamai's 'State of the Internet - Q2 2015' which concurs that many DDoS attacks were fuelled by actors such as DD4BC and those copying their ransom tactics and attack methodologies.
Akamai reckons that the group "expanded its extortion and DDoS campaigns during April and May" and it has found itself protecting "a growing number of customers" from DD4BC attacks as a result.
Akamai says that several customers have received ransom demands threatening DDoS attacks of between 400-500 Gbps if the money was not paid, although it hadn't seen anything larger than 50 Gbps in reality up until the time the report was published.
It would seem that DD4BC do not have quite the resources to pull off the size of attack that it threatens, considering that VeriSign has also not seen anything approaching three figures as of yet from it, so is DD4BC actually just a bunch of (albeit fairly successful) chancers?
VeriSign reckons the attack group is comprised of a relatively small number of people, likely to be fewer than five according to VeriSign iDefense research. That hasn't stopped it from attacking targets around the world and across industry sectors including banking, exchanges (Bitcoin specifically) and gaming.
The threats seem to follow the same general form: they start with an extortion demand threatening a DDoS attack if a one-off Bitcoin payment isn't made. If the initial threat is ignore, then an increased ransom demand is made before a small demonstration DDoS attack is launched in order to 'prove our claims'. If no ransom is still forthcoming then larger, 10-30 Gbps-size attacks are launched with again increased demands for payment.
Here's an actual example of an extortion email sent by the DD4BC group:
To introduce ourselves first:
Or just google “DD4BC” and you will find more info. So, it's your turn! All your servers are going under DDoS attack unless you pay 40 Bitcoin. Pay to xxxxxxxxxxxxxx
Please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400-500 Gbps. Right now we are running small demonstrative attack on one of your IPs: X.X.X.X Don't worry, it will not be hard and will stop in 1 hour. It's just to prove that we are serious.
We are aware that you probably don't have 40 BTC at the moment, so we are giving you 24 hours to get it and pay us.
Find the best exchanger for you on howtobuybitcoins.info or localbitcoins.com You can pay directly through exchanger to our BTC address, you don't even need to have BTC wallet.
Current price of 1 BTC is about 230 USD, so we are cheap, at the moment. But if you ignore us, price will increase."
Adrian Crawley, regional director for Northern Europe at Radware, whose ERT team monitors the group as part of its continuous vector assessments, told SCMagazineUK.com that DD4BC emerged in 2014 but more recently escalated operations by attacking targets in Switzerland, New Zealand and Australia.
"On March 12, 2015 a bounty for full and proven identity of DD4BC was published by Bitmain after it was attacked by the group," Crawley tells us. "As a result of the bounty publication, there was a dramatic increase in the attacks propagated by DD4BC." Either it feared the gig was about to be up and wanted to profit as much as possible while it still could, or it simply wasn't scared of being caught. Whatever, intelligence collated by Radware suggested the attacks would continue into Europe and that seems to have been the case as the VeriSign report confirms continuing attacks.
We asked Nick Mazitelli, principal consultant at Context Information Security, just how big a player DD4BC is in the overall scheme of things DDoS related, and whether one threat actor really can make such an apparent huge impact upon an entire attack vector as the VeriSign report suggests?
"It seems entirely possible that a single highly active and capable group could have this level of impact," Mazitelli confirmed, continuing: "Once the attack capability is in place, scaling the number of attacks is probably not a difficult task." Aside from which, the apparent effectiveness of the DD4BC attacks in general, combined with the cohesiveness of their approach and branding, increases the visibility of the group. "Other highly active groups might not be as easily attributable," Mazitelli says. "It may even be possible that other criminals, unaffiliated with the original group, are trading off the brand to increase their own returns."
Gavin Reid, VP of threat intelligence at Lancope, is sure of one thing and that is "DD4BC has shown growth in recent months", not least because Bitcoin addresses used in this threat have shown increasing activity. "They started out by attacking Bitcoin and alternative currency mining websites," Reid told SC.
"The next sector attacked were online casinos, a traditional target of DDoS threats for money, and now financials," he said.
Reid reckons we are seeing increased numbers of attacks by this group which is indicative of it becoming a larger criminal enterprise. "Along with increasing numbers of attacks," he told us, "the price of extortion is rising as high as 100 Bitcoins."
Adam Schoeman, senior security intelligence analyst at SecureData, thinks it is telling that the attack targets tend to be in the smaller finance sector such Bitcoin exchanges. "Banks have implemented bigger pipes or are better prepared with services like CloudFlare at their disposal," he explains. "Basically no one tries to DDoS financial institutions because they have money, which is more than a group can use to out gun them – this is basically all a DDoS attack is and why an amplification DDoS attack is the only thing that really works on larger companies."
Dave Larson, CTO at Corero, wouldn't necessarily agree, telling us that "financial services organisations are particularly vulnerable to any type of DDoS attack due to the highly transactional nature of their business, as well as the sensitive data and personally identifiable information that is maintained. It appears that DD4BC has strategically and perhaps successfully targeted these types of internet connected businesses with the threat of DDoS."
Perhaps, as Schoeman says, "this threat is almost a natural progression of the BTC Exchange threat – it has become mainstream enough for banks to recognise that extended downtime would cause pain, but it is not established enough for banks to have felt that pain before and to know that DDoS is a real thing."
In other words, the principles of game theory suggest that you should pay now, but instances like this should really be seen as a wakeup call for a bank to realise that it's going to need DDoS protection, and there is no better time to invest than now. "If the DD4BC Group is not the perpetrator, another DDoS group is just as capable," Schoeman warns, adding,"It's the same as keeping your car unlocked with the key in the ignition and paying off everyone that looks like they might steal it, instead of installing a lock and keeping the key with you."
Adrian Crawley has confirmed that there are lots of cases (not widely publicised) where telecoms providers have been hit because of the way the hosting architecture is set up – one gets hit and it invariably takes down several more. There are also examples where the first ‘domino' to fall did not know they were under attack because the email had been treated as spam. His mitigation advice, therefore, is to:
a) Ensure you have a process in place for monitoring spam, detecting these emails and verifying if they are genuine with your strategic security vendors
b) Then contact your service providers and major IT infrastructure vendors to invoke a plan
c) Do. Not. Pay
d) Invoke an always on model of detection and mitigation or at least an on demand detection model.